Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
sudo misbehaving on network-connected machines
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
LiquidAcid
Apprentice
Apprentice


Joined: 11 Sep 2006
Posts: 171

PostPosted: Wed Oct 17, 2007 10:35 am    Post subject: sudo misbehaving on network-connected machines Reply with quote

Hi there,

I have some security issues with the sudo package on my Gentoo boxes. Lets say I have two machines with IP adresses 192.168.0.1 and 192.168.0.2 - the hostnames are Alice and Bob (*g*) and hostnames are correctly entered in each of the hosts files on the machines.

Both machines have a sudoers file setup which allows the normal user, say 'test', to shutdown the system. According to everything that I've read about sudo it should be possible to enter 'localhost' in sudoers for the commands that should only be allowed to execute when the user is really logged in on the local console and NOT via ssh login over the network.

Now that's the first problem. If I setup sudoers with localhost I can't shutdown the system when being the normal user. sudo -l simply tells me that the user is not allowed to run sudo on the machine. That's when I'm logged in at the local console. Nothing with network yet.

I can get this working when replacing localhost by Alice and Bob (respectively), now sudo -l shows me the shutdown command and it works. But that's not what I want. Here comes the second problem. When I remote-login from Alice into Bob I can also shutdown Bob, even if only a user ON Alice should be allowed to do it.

I'm going to post my sudoers and hosts file, but I really don't think the problem originates from there. I suspect some sort of authentification problem or something related. The funny thing is: I have access to an Ubuntu box and the problem also appears there.

Maybe I'm simply not understanding this whole sudo concept?!

Thanks,
liquid
Back to top
View user's profile Send private message
LiquidAcid
Apprentice
Apprentice


Joined: 11 Sep 2006
Posts: 171

PostPosted: Thu Oct 18, 2007 8:15 pm    Post subject: Reply with quote

/etc/sudoers
Code:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification

# Reset environment by default
Defaults        env_reset

# Uncomment to allow users in group wheel to export variables
# Defaults:%wheel       !env_reset

# Allow users in group users to export specific variables
# Defaults:%users       env_keep=TZ

# Allow specific user to bypass env_delete for TERMCAP
# Defaults:user     env_delete-=TERMCAP

# Set default EDITOR to vi, and do not allow visudo to use EDITOR/VISUAL.
# Defaults      editor=/usr/bin/vim, !env_editor

# Runas alias specification

# *** REMEMBER ***************************************************
# * GIVING SUDO ACCESS TO USERS ALLOWS THEM TO RUN THE SPECIFIED *
# * COMMANDS WITH ELEVATED PRIVILEGES.                           *
# *                                                              *
# * NEVER PERMIT UNTRUSTED USERS TO ACCESS SUDO.                 *
# ****************************************************************

# User privilege specification
root    ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel        ALL=(ALL)       ALL

# Same thing without a password
# %wheel        ALL=(ALL)       NOPASSWD: ALL

# Users in group www are allowed to edit httpd.conf using sudoedit, or
# sudo -e, without a password.
# %www          ALL=(ALL)       NOPASSWD: sudoedit /etc/httpd.conf

# Samples
# %users  ALL=/bin/mount /cdrom,/bin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

# allow liquid on leena to use truecrypt
liquid          leena   =       /usr/local/bin/tc_standard.sh
liquid          leena   =       /usr/local/bin/tc_usb.sh
liquid          leena   =       /usr/local/bin/tc_disc.sh
liquid          leena   =       /usr/local/bin/tc_show_list.sh
liquid          leena   =       /usr/bin/mount.cifs
#liquid         localhost       =       /usr/local/bin/tc_standard.sh
#liquid         localhost       =       /usr/local/bin/tc_usb.sh
#liquid         localhost       =       /usr/local/bin/tc_disc.sh
#liquid         localhost       =       /usr/local/bin/tc_show_list.sh
#liquid         localhost       =       /usr/bin/mount.cifs


/etc/hosts
Code:
# /etc/hosts:  This file describes a number of hostname-to-address
#              mappings for the TCP/IP subsystem.  It is mostly
#              used at boot time, when no name servers are running.
#              On small systems, this file can be used instead of a
#              "named" name server.  Just add the names, addresses
#              and any aliases to this file...
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/hosts,v 1.8 2003/08/04 20:12:25 azarah Exp $
#

127.0.0.1       localhost
192.168.0.1     router.entropy router
192.168.0.8     voodoomaster.entropy voodoomaster
192.168.0.34    leena.entropy leena
192.168.0.122   fantagiro
192.168.0.254   audioserver.entropy audioserver


Nothing spectacular here.
Back to top
View user's profile Send private message
LiquidAcid
Apprentice
Apprentice


Joined: 11 Sep 2006
Posts: 171

PostPosted: Wed Oct 24, 2007 3:30 pm    Post subject: Reply with quote

*bump*

I think I'm trying the official sudo mailing list as nobody seems to have this kind of problem.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum